DEC. 1 2. 2005 4:23PM ZILKA-KOTAB, PC 

-2- 

IN THE CLAIMS 
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Amended claims follow: 

1. f Currently Amended^ A computer-implemented m ethod for exe cution with 
computer code embodied on a tangible computer readable medium for detecting 
intrusions on a network, comprising: 

storing signature profiles identifying patterns associated with network intrusions 
in a signature database; 

generating classification rules based on said signature profiles; 
receiving data packets transmitted on the network; 

classifying data packets having corresponding classification rules according to 
said generated classification rules; and 

forwarding said classified packets to a signature engine for comparison with 
signature profiles; 

wherein the classification is carried out bv a first classification stage capable of 
classifying the data packets based on a first set of packet characteristics, and a second 
classification stage capable of classifying the data packets received from the first 
classification stage based on a second set of characteristics . 

2. (Original) The method of claim 1 further comprising dropping data packets 
without corresponding classification rules. 

3. (Original) The method of claim 1 wherein classifying said packets comprises 
classifying said packets according to at least one packet field into groups. 

4. (Original) The method of claim 3 further comprising classifying said packets 
Within each of the groups according to packet type or size. 

5. (Original) The method of claim 4 wherein classifying said packets according to 
packet size or type comprises classifying said packets according to TCP flags. 
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6. (Original) The method of claim 4 wherein classifying said packets according to 
packet size or type comprises classifying said packets according to packet length. 

7. (Original) The method of claim 3 wherein classifying said packets according to 
at least one packet field comprises classifying said packets according to protocol type. 

8. (Original) The method of claim 3 wherein classifying said packets according to 
at least one packet field comprises classifying said packets according to destination port 
number, 

9. (Original) The method of claim 3 wherein classifying said packets according to 
at least one packet field comprises classifying said packets according to destination 
address. 

10. (Original) The method of claim 1 further comprising performing a table 
lookup to select an action to be performed on said packet based on its classification- 

1 L (Original) The method of claim 10 wherein one of the actions is comparing 
said packet to at least a subset of the signature profiles. 

12. (Original) The method of claim 10 wherein one of the actions of the table is 
dropping the packet 

13. (Original) The method of claim 10 further comprising generating an alert 
following the table lookup. 

14. (Original) The method of claim 10 wherein the lookup is performed in a flow 
table and further comprising updating a field of the flow table. 
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15. (Original) The method of claim I further comprising partitioning signatures 
into disjoint groups to define subsets of signature profiles. 

16. (Original) The method of claim 15 further comprising comparing said packets 
to at least one of the subsets of signature profiles. 

17. (Original) The method of claim 1 further comprising filtering said received 
packets. 

18. (Original) The method of claim 1 wherein receiving said packets comprises 
capturing said packets at a network analysis device. 

19. (Original) The method of claim 18 further comprising decoding protocols 
after receiving said packets. 

20. (Currently Amended) An intrusion detection system including a tangible 
computer readable medium c omprising: 

a signature classifier comprising a first stage classifier operable to classify packets 
according to at least one packet field into groups and a second stage classifier operable to 
classify said packets within each of the groups according to packet type or size; 

a flow table configured to support table lookups of actions associated with 
classified packets; 

a signature database for storing signature profiles identifying patterns associated 
with network intrusions; and 

a detection engine operable to perform a table lookup at the flow table to select an 
action to be performed on said packet based on its classification, wherein comparing said 
packets to at least a subset of the signature profiles is one of the actions. 

21. (Original) The system of claim 20 further comprising a data monitoring 
device having a capture engine operable to capture data passing through the network and 
configured to monitor network traffic, decode protocols, and analyze received data. 



PAGE 7/13 * RCVD AT 12/12/2005 7:12:52 PM [Eastern Standard Time] * SVR:USPTO-EFXRF-6/29 * DNIS:2738300 * CSID:4089714660 * DURATION (mm-ss):03-16 



DEC. 1 2.2005 4:24PM 



Z I L KA-KOTAB, PC 



-5- 



NO. 1284 P. 8 



22. (Currently Amended) The system of claim 21 further comprising application 
program interfaces configured to allow the intrusion detection system access to 
applications of the data monitoring device to perform intrusion detection-j^** 

23. (Original) The system of claim 21 further comprising a parser operable to 
parse, generate, and load signatures at the detection engine. 

24. (Original) The system of claim 21 further comprising an alarm manager 
operable to generate alarms. 

25. (Original) The system of claim 21 further comprising a filter configured to 
filter out packets received at the intrusion detection system. 

26. (Original) The system of claim 21 further comprising a capture engine 
configured to forward packets and temporarily store packets for later analysis by the data 
monitoring device. 

27. (Original) The system of claim 20 wherein the flow table is a hash table. 

28. (Original) The system of claim 20 wherein action options listed in the flow 
table include dropping the packet and generating an alarm. 

29. (Original) The system of claim 28 wherein action options further include 
dropping the packet and updating one or more fields of the flow table. 

30. (Currently Amended) A computer program produc t embodied on a tangible 
co mpu te? readable medium for detecting intrusions on a netwoik, comprising: 

code that stores signature profiles identifying patterns associated with network 
intrusions in a signature database; 

code that generates classification rules based on said signature profiles; 
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code that receives data packets transmitted on the network; 

code that classifies data packets having corresponding classification rules 
according to said generated classification rules; and 

code that forwards said classified packets to a signature engine for comparison 
with signature profiles and stores signature profiles identifying patterns associated with 
network intrusions in a signature database; [and 

a computer-readable storage medium for storing the codes] 

wherein the classification is carried out by a first classification stage capable of 
classifying the data packets based on a first set of packet characteristics, and a second 
classification stage capable of classifying the data packets received from the first 
classification stage based on a second set of characteristics . 

3 1 . (New) The method of claim 1 , wherein the first set of packet characteristics 
includes at least one of a destination address, a protocol type, and a destination port 
number. 

32. (New) The method of claim 1, wherein the second set of packet characteristics 
includes at least one of packet type and a size. 

33 . (New) The method of claim 1 9 wherein only the second classification stage 
remains in communication with a flow table for identifying an action to be taken with 
respect to the data packets. 

34. (New) The method of claim 33, wherein the flow table is at least one hash table. 

35. (New) The method of claim 1, wherein the classification rules are generated after 
filtering the data packets. 
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